Learning IT Security Lessons from iCloud

Ryan Kalember

Ryan Kalember

Remember the Apple iCloud hack of late 2014 involving photos of celebrities? The lurid details have been exhaustively documented elsewhere so let’s not dwell on them here. What, though, should your organisation take away from that particular episode in terms of security posture? As Ryan Kalember asserts, it’s critical to think about the security of your information at the file level rather than the device level.

Data-centric protection is critically important, particularly in the business arena and particularly for files, whether they’re selfies or strategy PowerPoints. With the relentless growth of Dropbox and iCloud, the walls around the typical organisation have disappeared. The only solution, then, is to build new walls around the data itself.

For a long time, information security groups like the Jericho Forum have worked to help organisations understand that their firewalls were no longer protecting their data in any meaningful way. As the iCloud attacks made abundantly clear, files are now moving between clouds and devices in both automated and manual ways, most of which involve exactly zero ‘choke points’ for IT to control that data flow.

In the iCloud attack, for instance, the prevailing theory is that celebrities’ iCloud accounts were compromised via what amounted to elaborate social engineering. The back-ups of their personal photos were synced not to their own devices, but rather to devices belonging to the attackers.

This type of compromise is exceedingly difficult to defend against. An IT organisation considering the security of the files that nearly all its users work with will find few good options. Using mobile device management software to turn off iCloud may be an option, but that will push users (who are, after all, chiefly interested in getting their work done) into the arms of free or ‘freemium’ file sync and share services.

The simple truth is that many businesses suffer from a false sense of security when it comes to popular box storage services. Right now, employees are using these services to access sensitive company data without really being aware of the vulnerabilities inherent in them.

The content stored here is only as secure as the people accessing it, with access controls disappearing the moment a user syncs files to an unmanaged device or opens a file in a third party app. Additionally, these services create a lot of confusion around who owns what, and most notably when an employee leaves the company.

Establishing an audit trail

File sync and share technologies have evolved significantly as enterprises have begun using them en masse. The critical feature to ensure is that they can be safely used by organisations with sensitive data to protect. Keeping files encrypted until an authorised user authenticates to work with them, enabling organisations to control functions like sharing and printing, as well as establishing an audit trail of actions taken with the files on any authenticated device are all key action points.

Additionally, these technologies (also known as information rights management) enable organisations to revoke access to the sensitive files whenever they choose, leaving attackers, former employees or disgruntled insiders in possession of a lump of encrypted data and not the corporate crown jewels, regardless of where the file has been copied, synced or sent.

Critically, though, information rights management cannot be a hindrance to users if this is all to work as designed. There are simply too many workarounds in every app store. Information rights management must work across all devices (and the web), and technologies that use it must meet the twin challenges of making files both secure and usable everywhere they need to go in the course of a business workflow.

That means enabling work wherever you are and with whomever you are working. It means using any device suitable or available to read or annotate a document. It means sharing work-in-progress with a few, and publishing authoritative content to the many as well as protecting intellectual property and sensitive information (whether at rest or in transit) on-premises, in the cloud or on a device.

We’re also talking about satisfying the different needs of the casual user and the power user, being as useful on a mobile device as on a traditional computer and working with line-of-business and collaboration systems that the business already owns (not to mention those it’s thinking of purchasing).

Creating, editing, processing, sharing

Business efficacy, regulatory compliance, information security and employee productivity are all affected by the way in which employees create, edit, process and share documents, so the selection of enterprise file sync and share products is very much on the critical path of IT-related business investments.

Let’s face it, one of the key challenges confronting CIOs and IT managers today is managing Bring Your Own Device while regaining control of enterprise content without impacting on productivity and, in turn, creating mass user disenchantment.

Considering how digitally advanced we’ve become, we’re still remarkably naïve about basic Internet security. The most common techniques used by hackers have been the same for years: social engineering, phishing attacks, remote access tools and password recovery and reset prompts. While these are not overly sophisticated methods, users fall victim to them time and time again.

Enterprises need to make secure mobile and online practices a priority. They also need to consider a more file-centric security approach, particularly if content is going to be accessed by employees from personal mobile devices or shared with external business partners.

Phishing attacks may be more sophisticated – poorly written e-mails from foreign princes giving away their fortunes are increasingly rare – but these attempts are still fairly obvious if you know what to watch for. Therefore, frequent security training should also be a requirement to ensure employees know how to identify and avoid these ploys.

While most enterprises are not concerned that their own privacy will become fodder for public consumption in the way that celebrities’ selfies are, this should serve as a cautionary tale about consumer-based cloud services that every enterprise employee and employer ought to be considering in some detail.

Ryan Kalember is Chief Product and Marketing Officer at WatchDox by BlackBerry

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts